A close look at the list of issues addressed with the Microsoft January 2019 Patch Tuesday reveals that 7 flaws are rated critical, none was exploited in attacks in the wild.

The vulnerabilities rated as critical could be exploited by attackers for remote code execution, most of them affect Windows 10 and Server editions.

Three out of seven critical issues affect the ChakraCore scripting engine in the Edge browser, two affect Microsoft’s Hyper-V server virtualization environment, one impacts Edge, and one affects the Windows DHCP client.

The CVE-2019-0547 vulnerability resides in the Mitch Adair of the Microsoft Windows Enterprise Security Team, it could be exploited by an attacker to send a specially crafted DHCP response to a client in order to perform arbitrary code execution.

“A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine.” reads the security advisory.

“To exploit the vulnerability, an attacker could send a specially crafted DHCP responses to a client. The security update addresses the vulnerability by correcting how Windows DHCP clients handle certain DHCP responses.”

“A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system.” reads the security advisory related to the CVE-2019-055 issue. “To exploit the vulnerability, an attacker could run a specially crafted application on a guest operating system that could cause the Hyper-V host operating system to execute arbitrary code.”

Only one of the issues addressed with Microsoft January 2019 Patch Tuesday that resides in the Microsoft JET Database Engine was publicly known, but it was not exploited in the wild. The flaw tracked as CVE-2019-0579 and rated as important could be exploited to execute arbitrary code on a target’s system by tricking users into opening a specially-crafted file.

The tech giant also fixed a vulnerability in Skype for Android (CVE-2019-0622) that could have allowed a local attacker with physical access to an Android device to bypass the lock screen and potentially expose victim’s data.

Below there is the full list of vulnerabilities addressed by the Microsoft January 2019 Patch Tuesday.

Share On

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.AcceptRead More

Privacy and Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.